How to suppress a 401 authentication prompt in SharePoint 2010 for excluded resources
3 years ago
Originally Published: 2013-03-07
Article Number
000044128
Applies To
RSA Access Manager 4.9.3 Agent for IIS 7.x
Issue
How to suppress a 401 authentication prompt in SharePoint 2010 for excluded resources
Cause
In SharePoint 2010 Microsoft introduced an SSO cookie called WSS_KeepSessionAuthenticated.  This cookie is issued whenever Windows Authentication occurs.  When integrating RSA Access Manager with SharePoint 2010 using Protocol Transition after the user is authenticated to RSA Access Manger the agent will express windows credentials for any protected resource that are served.  For excluded resources the RSA Access Manger Agent would normally not express Windows Credentials with the request and would allow anonymous access to the resource.  Unfortunately in use cases where the user first access protected content and then subsequently accesses excluded content, the presence of the WSS_KeepSessionAuthenticated  cookie will cause SharePoint 2010 to assume the user is still authenticated, but because there are no credentials will issue a 401 authentication prompt. 
Resolution
This issue has been resolved in hotfix 4.9.1.16 for RSA Access Manger 4.9.1 Agent for IIS 7.x (64 bit).  Contact RSA Customer Support and request this hotfix or the latest cumulative fix for your version.
This fix introduces a new parameter that allows you to designate resources that are excluded, but where you still wish to have the Protocol Transition credentials expressed.  
  # Specifies Microsoft application directory resources that
  # are given anonymous access in SharePoint and excluded or
  # unprotected in Access Manager. When the request for these set
  # of Url's are made and the user already has a valid CTSESSION,
  # then the agent would set the impersonation token to make
  # sure that SharePoint does not fail these requests with "401 unauthorized".
  # 
  # Allowed Value:
  #     Comma-separated Microsoft application virtual directory
  #     resources in IIS.
  # 
  # Example:
  #     cleartrust.agent.iis.msapp_anonymous_resource_list=/Lists/Calendar/*
  # 
  # Dependencies:
  #     This parameter needs to be configured if this web server hosts Microsoft
  #     applications that need SSO with other RSA ClearTrust protected resources
  #     and the SharePoint resources with anonymous access is excluded in Agent.
  # 
  # Note: Set this parameter only if the SharePoint pages are configured
  # anonymous access and excluded from Access Manager agent.
  #
  cleartrust.agent.iis.msapp_anonymous_resource_list=

Notes
This hotfix is superseded by hotfix 4.9.1.17 See Access Manager inclusion list does not match URL's with spaces.
Note that the RSA Agent can only express credentials if the use has a valid RSA Access Manager authenticated session and a valid CTSESSION cookie.  The CTSESSION cookie is only updated when the user is actively browsing protected content.  If the user attempts to browse excluded content longer than time set in the agent idle timeout setting, without accessing any protected content, then the users session will be invalidated.  In these situations RSA Access Manager will no longer be able to express the Protocol Transition credentials and the user will then be presented with a 401 authentication prompt.

Related Articles

Trending Articles

Don't see what you're looking for?